DefendTheWeb Playground Challenge Access Logs

DefendTheWeb.net, previously called HackThis.co.uk, is a very famous and well-known interactive security platform where you can learn and challenge your skills.. It contains challenges from several different cybersecurity fields.

I’ve decided to have a bit of fun and try to solve every single challenge presented, from the easiest to the hardest. (although easy and hard will be different depending on your skillset and field of expertise).

As I do with any challenge website, I WILL NEVER post the flag in cleartext, as it kills the fun and thrill of finding it, however I will post my way (or ways) of getting there. This is done in respect of the website’s security and non-disclosure policy, even when it doesn’t have one ;).

Challenge Access Logs

This challenge is rated as Bronze difficulty, so it might be easy to solve. The author presents us only with a username and password form with a Login button, and a small description

An automatic banning script is running on a target server. The script works by parsing log files for failed login attempts. The script locks out any IP address for 10 seconds after every failed login attempt. The log output will be displayed below. Attempt to login while avoiding detection.“.

The objectiv here is clear “Attempt to login while avoiding detection”. So to login we have to either find the correct credentials or bypass the authentication in a way we are not locked for 10 seconds. Let’s first analyze what a failed login attempt looks like. After fulfiling it with a wrong username and password (MYUSERNAME:MYPASSWORD), the system blocks us for 10 seconds and gives us this:

Jul 15 09:21:56: Failed password for MYUSERNAME from X.X.X.X” (where the X.X.X.X is my real public IP)

On a second attempt I’ve tried to just include a “;ls” in the username to see what happens, but the system just replied a similar message, this time with “MYUSERNAME;ls” in it. Nothing really different.

After a few attempts, judging by the fact that the script has a parser finding the failed login attempt, I’ve tried a “\n” in front of the username, with any other password, and it worked.

So, in this case I believe by adding a “\n” (New line character) it jumps to the next line, and by doing that, bypassing the parsing script. When going back to check the logs, I see that the new-line character really works, and it gives me the same failed login attempt but in two lines this time.

See you on the next challenge.

Related posts